By Sukant Kumar, Cybersecurity Researcher
For $40 and a tutorial video, anyone can deploy a fully functional information stealer with credential harvesting, screen capture, Wi-Fi password extraction, file collection, persistence installation, and remote access, all controlled through a Telegram bot. KeyCat is a Python-based, multi-platform infostealer and remote access toolkit targeting both Windows and Linux environments.
It surfaced as a publicly accessible Github Gist containing the full stealer source code on in February 2026, with Flare’s automated classifier flagging the discovery as a “High” severity malicious Python-based information stealer (KeyCat Ultimate Stealer) designed to operate on both Windows and Linux systems.
KeyCat source code circulated publicly from late February 2026 and was subsequently reused across at least four distinct Telegram listings between March and May 2026, including regionalized Tunisian targeted variants and generic $40 Malware-as-a-Service (MaaS) offerings. Whether these represent a single operator evolving the product or multiple actors forking publicly available code cannot be determined from the available telemetry. The combination of low price, bundled operational guidance, and trivially reconfigurable C2 infrastructure means that every independent deployment produces a distinct instance with no connection to the original operator, making token-specific detection ineffective and behavioral signatures the only durable defense.
Key Takeaways About KeyCat Stealer
- KeyCat is a fully operational, multi-platform infostealer with confirmed active staging infrastructure and a live Telegram C2 channel. Static source code analysis, C2 telemetry extracted via Matkap bot message interception, and controlled payload retrieval from a compromised WordPress site collectively confirm that the stealer, control bot, and RAT modules form a coherent malicious suite operating under a shared Telegram bot token.
- The stealer entered commercial distribution in April 2026, first as a $40 MaaS offering with tutorial video, then as a Stealer-as-a-Service (StaaS) platform. The StaaS relaunch under a dedicated administrator handle (@keycatadmin) removes all operational barriers for buyers: customers pay for output (stolen credentials) rather than managing infrastructure themselves, eliminating the technical barrier to entry entirely.
- Every independent deployment is trivially reconfigurable. Buyers need only modify two constants (TOKEN and ADMIN_ID) in the source code to produce a distinct C2 channel with no connection to the original operator’s infrastructure. This means token-specific detection degrades immediately against derivative builds.
- The stealer implements a nine-stage execution chain. It covers anti-analysis checks, C2 configuration, host profiling, screen capture, Wi-Fi credential extraction, credential dumping via LaZagne, sensitive file harvesting, data packaging and exfiltration, and persistence installation, all automated within a single execution and exfiltrated via Telegram’s sendDocument API.
- Multiple staging channels were observed. They include a compromised Italian agricultural business WordPress site (pantaleoagricoltura[.]it), Pastebin, Ubuntu Paste, and Limewire, reflecting an operator who rotates hosting infrastructure across builds and uses legitimate services to avoid blocking. The March promotion also used keycat.x10[.]mx/Tunisia, indicating additional infrastructure beyond the staging channels already documented.
Detect Infostealers and Stolen Credentials Before Attackers Exploit Them
Flare’s automated classifiers flagged KeyCat the moment its source code surfaced publicly, then tracked its commercialization across Telegram channels in real time. Get the same continuous visibility into emerging malware, stolen credentials, and MaaS offerings targeting your organization.
Initial Discovery on GitHub Gist
KeyCat stealer surfaced as a publicly accessible GitHub Gist containing the full stealer source code on February 28, 2026. Flare identified the discovery as a high-severity malicious Python-based information stealer designed to operate on both Windows and Linux systems, although the use of Python may introduce practical deployment and operational reliability limitations compared to more mature native malware frameworks.
The emergence of a separate commercial distribution channel and a dedicated StaaS administrator (@keycatadmin) significantly elevates the threat’s reach and operational risk.
High severity event flagged on Flare (Flare link to post, sign up for the free trial to access if you aren’t already a customer)
AI Assist summary on Flare describing the stealer
Following initial discovery, a keyword search for “KeyCat” on Flare identified two additional posts (discussed in later section) in April 2026, revealing that the malware had entered commercial distribution channels. These findings materially escalated the threat’s assessed risk level and scope.
Technical Analysis
From the technical standpoint, KeyCat demonstrates comparatively simpler tradecraft and implementation patterns than higher-complexity Python infostealers. The SANS ISC sample layered Fernet-encrypted exfiltration, threaded execution, a keylogger, and an embedded Flash phishing server on top of a Telegram based C2 channel. PXA Stealer, profiled in the Ghost in the Zip campaign, used multi-stage DLL sideloading through signed applications and a Cloudflare Worker-backed relay. By contrast, KeyCat is a single script, low-to-moderate sophistication stealer that leans on LaZagne and basic OS primitives for collection, with hardcoded Telegram token and a linear, error-tolerant execution flow.
It nevertheless implements the full infostealer pipeline: credentials, Wi-Fi keys, SSH material, screenshots, ZIP packaging, persistence, and Telegram-based C2. Therefore, the operational risk comes from its capability breadth and commercialization, not from novel tradecraft.
Stealer features being demonstrated on Telegram C2 channel
Capability Breakdown
The stealer executes a nine-stage chain, from anti-analysis through persistence, within a single automated run.
Stage 1: Anti-Analysis and Stealth Initialization
anti_debug logic
The stealer’s first action is anti_debug(), which exits silently via sys.exit(0) if a Python debugger is detected through sys.gettrace(). On Linux, it also checks /proc/cpuinfo for hypervisor or QEMU strings, directly targeting virtualized analysis environments. Both exits produce no output, making termination indistinguishable from clean execution in monitoring logs.
Stealth functionality on Windows
On Windows, stealth measures activate at import time, before any collection logic runs. The console window is hidden using ShowWindow(GetConsoleWindow(), 0), and the window title is set to svchost.exe to blend with legitimate Windows service processes. Any subsequent commands the stealer runs (netsh, powershell, lazagne.exe, pip) execute without opening visible windows, using a hidden STARTUPINFO object applied consistently to every child process.
Stealth functionality on Linux
On Linux, the stealer backgrounds itself through a double-fork daemonization routine, detaches from the controlling terminal via setsid(), and redirects all standard I/O to /dev/null. It then renames its own process to [kworker/0:0] using prctl(PR_SET_NAME) via libc.so.6, impersonating a kernel worker thread in process listings and /proc/<PID>/status.
Stage 2: C2 Channel Configuration
Telegram C2 configuration
The Telegram Bot token and Chat ID are hardcoded as clear text constant configuration.
Telegram C2 communication mechanism and methods
All communication flows over Telegram’s API. The Send_telegram() function sends HTML formatted text via sendMessage method; send_flle() function transmits files via sendDocument method. No actor-controlled server is involved as Telegram serves as both the C2 channel and the exfiltration endpoint, exploiting a legitimate, widely trusted platform that is rarely blocked at the network perimeter.
Stage 3: Host Profiling and Initial Beacon
System information extraction
On execution, the stealer immediately sends a notification to the operator, followed by a detailed host profile. The HWID is a 12 character identifier derived from MD5 (hostname + username).
C2 beacon containing system information
The message logs (extracted via Matkap) confirmed this beacon. The profile (hostname, username, HWID, local IP, OS, and CPU) is sent as a formatted Telegram message.
Stage 4: Screen Capture
Screen capture logic for Windows
The stealer captures the primary display and saves it as “screenshot_<timestamp>.png” in the system temp directory. On Windows, it uses ImageGrab.grab() function. If that fails, it falls back to a PowerShell script that captures the screen via System.Windows.Forms and System.Drawing, run with -ExecutionPolicy Bypass under hidden windows settings.
Screen capture logic for Linux
C2 beacon containing screenshot file
On Linux, the malware attempts multiple screenshot utilities in sequence (gnome-screenshot, ImageMagick import, and scrot), selecting the first available binary on the host. The captured image is exfiltrated via Telegram sendDocument and subsequently removed from disk.
Stage 5: Wi-Fi Credential Extraction
Wi-Fi password capture logic for Windows
On Windows, the stealer enumerates saved Wi-Fi profiles using netsh wlan show profiles and retrieves the cleartext password for each via netsh wlan show profile name=”<SSID>” key=clear, executed silently. On Linux, it reads NetworkManager connection files directly from /etc/NetworkManager/system-connections and extracts PSKs via regex psk=(.+) — a path restricted to root or network-admin group membership on standard system configurations.
Stage 6: Credential Dumping via LaZagne
Credential dumping logic
The stealer stages and executes LaZagne, an open-source credential recovery tool, to harvest stored credentials from browsers and applications. LaZagne is fetched from its official GitHub repository at runtime if not already present on the host, then executed against the supported credential stores with a 120-second timeout under hidden execution settings.
Stage 7: Sensitive File Harvesting
Recursive search for sensitive files logic
The stealer looks for user-accessible directories, collecting files that matches target extension list (.txt, .pdf, .doc/x, .xls/x, .kdbx, .ovpn, .key, .odt, .ods) and filenames that may indicate credentials indicative keywords.
Stage 8: Data Packaging and Exfiltration
Data package and exfiltration logic
All collected data (system profile, Wi-Fi credentials, LaZagne output, and harvested files) is compressed into a single keycat_data_<HWID>.zip archive and sent to the operator via Telegram sendDocument. The local ZIP and all intermediate files are deleted after transmission to reduce on-disk forensic remnants.
C2 beacon for data collection confirmation
Matkap captures the resulting document messages following “Collection Complete” notifications for each host session.
Stage 9: Persistence Installation
Persistence logic for Windows
Persistence installation beacon
The stealer installs persistence after exfiltration completes, converting a one-shot execution into a recurring collection capability. On Windows, a registry Run key entry launches the stealer silently at user logon using pythonw.exe. On Linux, dual persistence is established through both a cron @reboot entry and a background launch appended to ~/.bashrc. Both suppress output and operate independently, ensuring relaunch survives reboots and shell restarts without either mechanism depending on the other.
Control Bot Module
KeyCat Commands and Features menu
The Telegram-based control bot operates on the same token, providing the operator with stealer staging, delivery artifact generation, and infrastructure management.
Repeated /upload failures, a JSON parse error on config.json, and an HTTPS connection failure to pastebin.ubuntu[.]com indicates an unstable, actively iterated deployment pipeline rather than a production grade operation.
RAT Module
RAT module presence in local directory
RAT Commands menu
A companion RAT module (1.py) was observed operating via the same Telegram bot token, providing interactive access to compromised or controlled hosts, separating from the automated stealer execution flow. Its command surface includes filesystem operations (such as ls, cd, download, upload), system interrogation (info, ps, location, shell <cmd>), persistence management, and surveillance capabilities (screenshot, webcam, keylogger start|stop).
Note: The RAT source was not present in the stealer source code; its capability surface is derived from message interactions (extracted via Matkap) only.
Infrastructure and Delivery
Confirmed Staging Infrastructure
The primary confirmed staging host that has been observed during the analysis of C2 telemetry is pantaleoagricoltura[.]it, an Italian agricultural business WordPress website.
VirusTotal score of pantaleoagricoltura[.]it
Payload upload command captured via Matkap
The stealer payload is served from the WordPress plugins directory, a path that is consistent with web shell or plugin-based file drops on a compromised WordPress installations: pantaleoagricoltura[.]it/wp-content/plugins/stealer.py
Curl request to fetch the payload
Payload fetched via curl containing same stealer source code
A curl request to fetch the staged stealer confirmed that the payload is identical to the stealer source code that we identified initially on Github Gist via Flare, including the same embedded bot token, admin ID and inline Arabic comments.
Multi-Channel Staging Model
Instructions to use the bot commands
The control bot’s /upload command is designed to push the stealer to a remote hosting service and save the resulting URL to config/config.json for downstream use by /build.
Analysis of the Telegram C2 telemetry revealed three more distinct staging URLs (other than pantaleoagricoltura[.]it domain), reflecting operator’s use of multiple paste and file sharing services:
Pastebin[.]com/uiWhrkRn
Stealer hosting confirmation on Pastebin
Hosted the KeyCat stealer source code in cleartext, enabling public access to the payload logic. This reflects reliance on open paste services for staging.
Pastebin post containing KeyCat stealer source code
Pastebin[.]ubuntu[.]com/pzn6Gh6XKb/H/plain
Stealer hosting confirmation on Pastebin Ubuntu
The content aligns with the analysed sample, suggesting use of Ubuntu Paste as a development or early staging channel.
Ubuntu Pastebin post containing KeyCat stealer source code
Limewire[.]com/dE4Kfzx3bKk2Eefa
Stealer hosting confirmation on Limewire
Expired hosting error on Limewire
Limewire is a file sharing link used for payload distribution. We tried to fetch the payload, but it returned “content not found” at the time of analysis. This behavior is consistent with short-lived staging infrastructure used for initial payload delivery or distribution.
/build command instructions
The /build command generates three delivery artifacts from the staged URL: downloader.py (Python), install.bat (Windows batch), and KeyCatLoader.exe (compiled executable), providing the operator with a flexible platform delivery option for target deployment.
Proxy configuration status
The operator additionally configured SOCKS5/Tor proxy routing (127.0.0.1:9050) through the control bot’s /proxy toggle, confirmed enabled in the proxy status.
Observed Systems and Operator Environment
System profile information
All observed hosts share local IP 10.0.2.15, consistent with a virtualized NAT environment, with HWIDs 39fce4e68050 and 6bab49be7c01 sharing public IP 105.99.61.221, confirming co-location on the same physical host.
Language Attribution: Native Arabic inline comments in both the analyzed Gist sample and the live-retrieved payload from pantaleoagricoltura[.]it directly tie both artifacts to a single Arabic-speaking author.
Threat Commercialization, Regional Positioning and MaaS/StaaS Activity
Tunisia-Focused Commercialization and Capability Positioning (March 27th, 2026)
Tunisia-specific KeyCat theft component post (Flare link to post, sign up for the free trial to access if you aren’t already a customer)
We observed a Telegram post from “001 Tun 🇹🇳” advertising a Tunisia-specific KeyCat-linked theft component, and stated it was designed for “Tunisian users only,” explicitly claiming theft support for D17, E-DINAAR wallets, and bank accounts, with coverage spanning more than 12 Tunisian banks and three wallets from the Tunisian Post.
Expired domain status
The post also claimed an antivirus bypass and distributed the component via keycat.x10[.]mx/Tunisia. At the time of follow-up validation, the referenced URL was no longer live, indicating the stealer infrastructure had been removed, or rotated.
Pivot on KeyCat domain (Flare link to post, sign up for the free trial to access if you aren’t already a customer)
A subsequent Flare pivot on the keycat.x10[.]mx domain surfaced in an earlier March 25 Telegram post. The post is an advertisement and instructional guide for the KeyCat Stealer platform, posted by the threat actor group BlackMaskers.
The actor provided step-by-step instructions for potential customers to access the platform at https://keycat.x10[.]mx, where users must register to receive a private access code. To actually build and deploy the stealer malware, customers must purchase a plan by contacting the administrator (@anaconda_admin) via direct message.
KeyCat stealer builder/customer portal interface
The platform requires users to input their Telegram bot token and user ID, which serves as the command-and-control mechanism for exfiltrating stolen data. Once configured, customers receive the compiled stealer source code to deploy against their chosen targets.
KeyCat Tunisian Ultimate Stealer advertisement (Flare link to post, sign up for the free trial to access if you aren’t already a customer)
A second Telegram post by “KC_Stealer_Bot” presented a more mature and productized offering under the label “KEYCAT TUNISIAN ULTIMATE STEALER.” The post advertised commands such as /build, /victims, and /clean, and listed theft coverage for all Tunisian banks including BNA, STB, BT, Attijari, BIAT, and UIB.
The build/status/cleanup command set is consistent with the control-bot module workflow that we previously observed in Telegram C2 telemetry, where the same ecosystem exposed build, status, and clean functions for the stealer packaging and operator management.
The original code that we analyzed supports only part of the May 10 feature set that the threat actor advertised. The code does not expose dedicated routines for Discord token theft, named Tunisian bank targeting, or explicit crypto wallet module logic in the sample reviewed, which makes those Telegram post claims important as evidence of either later packaging or downstream modifications relative to the baseline stealer code that we came across.
The March 27th Tunisia-themed post marked the first observed shift from generic stealer functionality toward geographically scoped financial targeting; subsequent Telegram activity in early April shows the same toolset moving into a broader commercial distribution.
MaaS Distribution (April 7th, 2026)
“KeyCat” keyword search on the Flare identified two additional posts, revealing that the malware had entered commercial distribution channels.
KeyCat advertisement (Flare link to post, sign up for the free trial to access if you aren’t already a customer)
The threat actor “CatCloud” was seen advertising a comprehensive suite of cybercrime tools and services on Telegram, operating as a malware-as-a-service (MaaS) vendor. The offerings include the KeyCat Stealer source code for $40 (with instructional video). At $40 with a tutorial, the listing targets low-skill buyers requiring operational guidance.
The observed timeline, with the stealer source code appearing on public paste sites infrastructure in mid-February 2026 and the subsequent Telegram-based commercialization activity in early April, combined with versioning evolution from “KeyCat Control Bot” to “KeyCat Professional v3.0.0” (observed in extracted C2 telemetry via Matkap), suggests a possible evolution of the toolset.
Buyers can independently deploy a functional KeyCat instance by modifying only two constants (TOKEN and ADMIN_ID) in the source. Each modified instance produces a distinct C2 channel with no connection to the original operator’s infrastructure.
Stealer-as-a-Service (StaaS) Relaunch (April 11th, 2026)
KeyCat repositioning as StaaS (Flare link to post, sign up for the free trial to access if you aren’t already a customer)
A Telegram message observed on April 11, 2026 announced the return of KeyCat under a dedicated administrator handle @keycatadmin, repositioning it as a Stealer-as-a-Service (StaaS) platform with expanded criminal offerings to include:
- Stealer access: managed credential theft capability delivered as a service
- Premium services for SPAM campaigns: bulk messaging operations
- CRACK operations: credential cracking services
- All advertised at “competitive low prices”
Compared to the MaaS model, where operators deploy and manage the malware themselves, a StaaS model removes all operational barriers. Customers pay for output rather than infrastructure, eliminating the technical barrier to entry entirely for prospective buyers.
MITRE ATT&CK Mapping
| Tactic | Technique | Sub-Technique | Supporting Evidence |
|---|---|---|---|
| Resource Development | T1587 Develop Capabilities | T1587.001 Malware | Operator-authored stealer, RAT, and control bot confirmed across source code and Telegram C2 telemetry. |
| Resource Development | T1583 Acquire Infrastructure | T1583.006 Web Services | GitHub Gist flagged by Flare 23 March 2026; paste staging URLs confirmed in extracted C2 telemetry messages via Matkap. |
| Resource Development | T1584 Compromise Infrastructure | T1584.004 Server | pantaleoagricoltura[.]it confirmed compromised WordPress; stealer served from /wp-content/plugins/stealer[.]py. |
| Execution | T1059 Command and Scripting Interpreter | T1059.006 Python | KeyCat stealer is a Python script; Windows: pythonw.exe "{script_path}" in persistence code; Linux: /usr/bin/python3 {script_path} in cron entry. |
| Execution | T1105 Ingress Tool Transfer | — | LaZagne fetched from Github repo at runtime. |
| Persistence | T1547 Boot or Logon Autostart Execution | T1547.001 Registry Run Keys / Startup Folder | winreg.SetValueEx(regkey, "WindowsUpdateService", 0, REG_SZ, 'pythonw.exe "{script_path}"') under HKCU\Software\Microsoft\Windows\CurrentVersion\Run; “Persistence installed” messages confirmed via extracted C2 telemetry via Matkap. |
| Persistence | T1053 Scheduled Task/Job | T1053.003 Cron | @reboot /usr/bin/python3 {script_path} >/dev/null 2>&1 written via crontab -l pipe in install_persistence(). |
| Persistence | T1546 Event Triggered Execution | T1546.004 Unix Shell Configuration Modification | (python3 {script_path} &>/dev/null &) appended to ~/.bashrc in install_persistence(). |
| Defence Evasion | T1622 Debugger Evasion | — | if sys.gettrace() is not None: sys.exit(0) in anti_debug(), executed before any collection logic. |
| Defence Evasion | T1497 Virtualization/Sandbox Evasion | T1497.001 System Checks | Linux: /proc/cpuinfo read in anti_debug() function; sys.exit(0) if hypervisor or qemu strings present. |
| Defence Evasion | T1036 Masquerading | T1036.005 Match Legitimate Resource Name or Location | Windows: SetConsoleTitleW("svchost.exe") at import time. Linux: prctl(15, b"[kworker/0:0]", 0, 0, 0) in hide_process() called from become_daemon(). |
| Defence Evasion | T1564 Hide Artifacts | T1564.003 Hidden Window | ShowWindow(GetConsoleWindow(), 0); STARTUPINFO with SW_HIDE applied to all child processes (netsh, powershell, lazagne.exe, pip). |
| Discovery | T1082 System Information Discovery | — | Hostname, OS, CPU collected via platform module; confirmed in extracted C2 telemetry messages. |
| Discovery | T1016 System Network Configuration Discovery | — | Local IP via non-transmitting UDP socket; public IP via api.ipify.org; confirmed in C2 beacons. |
| Discovery | T1033 System Owner/User Discovery | — | getpass.getuser() and socket.gethostname() collected and transmitted in initial beacon. Confirmed in all C2 telemetry host profile messages. |
| Collection | T1119 Automated Collection | — | Recursive directory traversal with keyword and extension filter. |
| Collection | T1005 Data from Local Systems | — | SSH keys, .kdbx, .ovpn, credential-named documents collected from local filesystem. |
| Collection | T1560 Archive Collected Data | T1560.001 Archive via Library | keycat_data_<HWID>.zip built via Python zipfile module. |
| Credential Access | T1552 Unsecured Credentials | T1552.001 Credentials in Files | Wi-Fi PSKs via netsh “Key Content” field and NetworkManager /etc/NetworkManager/system-connections regex; credential-named files collected in Stage 7. |
| Command and Control | T1071 Application Layer Protocol | T1071.001 Web Protocol | All C2 traffic over HTTPS to api.telegram[.]org. |
| Command and Control | T1102 Web Service | T1102.002 Bidirectional Communication | Telegram Bot API used for both inbound operator commands and outbound exfiltration on the same token. |
| Exfiltration | T1041 Exfiltration Over C2 Channel | — | All collected data exfiltrated via Telegram sendDocument method. |
Indicators of Compromise
Network and Infrastructure
| Type | Value |
|---|---|
| Stealer Staging URLs | pantaleoagricoltura[.]it/wp-content/plugins/stealer.py limewire[.]com/dE4Kfzx3bKk2Eefa Pastebin[.]com/uiWhrkRn Pastebin[.]ubuntu[.]com/pzn6Gh6XKb/H/plain |
| Stealer Builder / Customer Portal | keycat.x10[.]mx/Tunisia |
| C2 Endpoints | api.telegram[.]org/bot{TokenValue}/sendMessage api.telegram[.]org/bot{TokenValue}/sendDocument |
| LaZagne – Credential Dumper | Github[.]com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe Github[.]com/AlessandroZ/LaZagne.git |
Telegram Infrastructure
| Type | Value |
|---|---|
| Bot Token | 8580574873:AAEpwGPFMGWBDnNfGxwd9XGtl44y0nnDdwk |
| Admin Chat ID | 6704703899 |
| StaaS Administrator Handle | @keycatadmin |
Detection and Defensive Strategies
KeyCat stealer does not rely on a single noisy indicator. Most individual events it generates (python execution, PowerShell usage, HTTPs traffic) can appear benign in isolation. The signal emerges when these events occur in sequence, particularly when tied to a single process lineage. Detection is therefore more reliable when focused on behavioral chaining rather than standalone alerts.
Endpoint Behavioral Indicators
Windows
- A pythonw.exe or python.exe spawning netsh wlan show profiles followed by netsh wlan show profile name=<SSID> key=clear with CREATENOWINDOW is anomalous outside network management tooling. The subprocess chain is visible in Sysmon/EDR process creation events regardless of window suppression.
- The same process subsequently retrieves LaZagne directly from GitHub (/AlessandroZ/LaZagne/releases/download/) and executes lazagne.exe all from %APPDATA%. This sequence, runtime download followed by credential dumping, is a strong indicator of a malicious activity, particularly on endpoints where python based tooling is not expected.
- Persistence via a Run key (WindowsUpdateService) does not align with legitimate Windows update behavior and should be flagged.
- PowerShell invoked with -ExecutionPolicy Bypass to capture screenshots using System.Windows.Forms is notable when it appears as a child process of a Python process performing other collection tasks.
Linux
- KeyCat demonizes via a standard double fork (fork → setsid → fork), then invokes process renaming through a separate routine (prctl(PR_SET_NAME, “kworker/0:0”)) after a short delay. The detection pivot lies in /proc inconsistencies: legitimate kernel worker threads have an empty cmdline, while this process will expose the Python script path.
- LaZagne is cloned into ~/.config/LaZagne/ and persists after execution. It is unusual on endpoints where development tooling is not expected. The directory persists after execution and provides a reliable filesystem artifact for retrospective hunting.
- Persistence is established via repeated @reboot entries in the user crontab (e.g., python3 <path> >/dev/null 2>&1). Each execution may append an additional entry, so reviewing only the most recent line might be insufficient. A full crontab comparison against a known-good baseline is required to identify residual persistence.
Cross-Platform
- The core behavioral fingerprint is the execution sequence: api.ipify[.]org GET → api.telegram[.]org/sendMessage POST → api.telegram[.]org/sendDocument POST, all from a single Python process within seconds. No individual call here is malicious on its own but the ordered sequence originating from a non-browswer python process is the detection triggger.
- In filesystem telemetry, watch for keycat_data_<12-hex>.zip, screenshot<timestamp>.png, and passwords<timestamp>.txt appearing and disappearing in the system temp directory within the same execution window. Confirmed ZIP creation followed by immediate deletion alongside an outbound sendDocument call is high-confidence exfiltration regardless of archive name.
Network Level Controls
- Any HTTPs POST request to api.telegram[.]org containing the bot token 8580574873:AAEpwGPFMGWBDnNfGxwd9XGtl44y0nnDdwk in the URL path should trigger an immediate block and alert. Note that the TLS inspection is a prerequisite; without it, Telegram traffic is not clear at the network layer and indistinguishable from legitimate use.
- Submit the token to [email protected] for revocation, as token revocation terminates C2 and exfiltration capability for all active KeyCat deployments on this build simultaneously.
- Block and monitor all DNS and traffic to pantaleoagricoltura[.]it, confirmed compromised staging server actively hosting the stealer payload.
- On non-developer endpoints, flag Python processes (such as python.exe, pythonw.exe, python3) initiating outbound HTTPs to github[.]com targeting the LaZagne release path, and any non-browser process calling api.telegram[.]org/sendDocument. The /sendDocument API method has no routine user-side invocation pattern from an endpoint.
- Known paste and file-sharing staging URLs should be blocked at low operational risk. Monitoring for newly surfaced staging infrastructure, including paste services and Telegram-distributed links, as operators are likely to rotate hosting across build.
Cyber Threat Intelligence via Flare
The GitHub Gist containing the KeyCat stealer source code was flagged as “High” severity by Flare. The subsequent keyword search “keycat” conducted via Flare surfaced distinct Telegram channel posts, including Tunisia-focused activity, representing a material threat escalation (regionalized theft targeting, stealer commercialization and MaaS/StaaS activity). Active monitoring of @keycatadmin remains the high priority collection requirement, and any new token, updated payload, or infrastructure change is likely to surface on Flare.
Credential Rotation and Incident Response
Treat all credentials accessible to the compromised user account as exfiltrated. KeyCat stealer collects Wi-Fi PSKs, browser stored credentials via LaZagne, SSH private keys (id_rsa, id_rsa.pub), and keyword matched documents including .kdbx and .ovpn files, packed into a ZIP and transmitted over Telegram.
On confirmed or suspected execution, you can prioritize the following:
- Rotate all browser-stored credentials, saved Wi-Fi PSKs, and any SSH keys present in /.ssh/ – these are collected unconditionally regardless of filename or keyword match.
- Audit %TEMP% / /temp for residual keycat_data_<HWID>.zip, passwords_<timestamp>.txt, or screenshot_<timestamp>.png – all these files are deleted post-exfiltration.
- Remove LaZagne staging directories (%APPDATA%\LaZagne\ on Windows; ~/.config/LaZagne/ on Linux).
- On Linux, inspect the full crontab and compare /.bashrc against a clean baseline. On Windows, check HKCU\Software\Microsoft\Windows\CurrentVersion\Run for WindowsUpdateService pointing to pythonw.exe.
What Security Teams Can Take Away
KeyCat is a fully operational, multi-platform information stealer with confirmed active staging infrastructure, and a live Telegram C2 channel. The toolset delivers credential theft, persistent implementation, and interactive post-exploitation capability within a single shared bot token, lowering the barrier to effective deployment.
The $40 stealer source code sale, and the relaunching of KeyCat as StaaS with additional criminal offerings materially expands the threat’s operational reach. At that price point and with a bundled tutorial, independent deployments with reconfigurable tokens and admin chat ID are operationally and financially feasible at scale. Token-specific detection degrades immediately against derivative builds; behavioral and structural signatures are the only durable detection layer.
Continued keyword monitoring for KeyCat variants via Flare, active tracking of @keycatadmin for updated payloads and infrastructure, and behavioral detection tuned to the stealer’s execution pattern, including LaZagne staging, Telegram API requests from the non-messaging processes, dual Linux persistence writes, remains the high-priority defensive actions.
Detect Infostealers and Stolen Credentials Before Attackers Exploit Them
Flare’s automated classifiers flagged KeyCat the moment its source code surfaced publicly, then tracked its commercialization across Telegram channels in real time. Get the same continuous visibility into emerging malware, stolen credentials, and MaaS offerings targeting your organization.
References and Sources
- Initial Intelligence Lead: Flare Global Search – Flare.io
- Source Code on Gist: gist.github.com/bvm7x7/5fdcbf6fbe126b28fd30a0048dc3fcb7
- Telegram C2 Telemetry (extracted via Matkap) – matkap.cti.monster
- SANS ISC sample: Python InfoStealer with Embedded Phishing Webserver – isc.sans.edu/diary/31924
- PXA Stealer – beazley.security/insights/ghost-in-the-zip-new-pxa-stealer-and-its-telegram-powered-ecosystem
